In March 2023, Deputy Attorney General, Lisa Monaco, and Assistant Attorney General, Kenneth Polite, Jr., announced multiple additions to Department of Justice (DOJ) policy at the American Bar Association’s (ABA) 38th Annual National Institute on White Collar Crime. In their addresses, they revealed that the DOJ has developed the following policies:

• A Voluntary Self-Disclosure (VSD) Policy for incentivizing reporting corporate misconduct.
• A Pilot Program on Compensation Incentives and Clawbacks to “shift the burden of corporate malfeasance away from uninvolved shareholders onto those more directly responsible.”
• An updated Evaluation of Corporate Compliance Programs (ECCP) memorandum to clarify the DOJ’s expectations regarding the use of personal devices for company business.

Companies that commit potential misconduct but abide by these updated policies can become eligible for reduced fines and/or lesser criminal liability.

New Voluntary Self-Disclosure Policy to Incentivize Reporting Misconduct

The United States Attorneys’ Offices Voluntary Self-Disclosure Policy addresses situations where a company learns of misconduct committed by its own employees or agents. The DOJ explained that the rationale for the VSD Policy is to help the government “investigate and hold wrongdoers accountable more quickly.” To achieve this goal, this policy establishes strong incentives for companies to self-report their own misconduct to the government, with some limitations.

In order for self-disclosure to be considered a VSD, and thus render a company eligible for leniency by the prosecuting United States Attorney’s Office (USAO), it must satisfy the following criteria:

1. There must not be a pre-existing obligation to disclose (e.g.. a regulation, contract, or prior DOJ resolution).
2. The disclosure must be timely. A disclosure is timely if it is made:
   • Before imminent threat of disclosure or government investigation, pursuant to United States Sentencing Commission (U.S.S.G.) Guidelines § 8C2.5(g)(1) (“Self-Report, Cooperation, and Acceptance of Responsibility”). The Guidelines are published by the U.S.S.G. and assist federal judges in determining sentences for criminal defendants.
   • Before the misconduct is publicly disclosed or the government otherwise becomes aware of the misconduct.
   • “Within a reasonably prompt time” once the company learns of the misconduct. The company has the burden of establishing that it acted promptly.
3. The disclosure must include “all relevant facts” regarding the misconduct that are known by the company at that time. In the event that the company does not know all of the relevant facts at the time of disclosure, the company must identify that the disclosure is based on a “preliminary investigation” or “assessment of information.”
4. The company must “preserve, collect, and produce relevant documents and/or information” and “provide timely factual updates to the USAO.” The company must also provide updates to the USAO regarding any internal investigations it undertakes.

When a company meets all these criteria, the prosecuting USAO will not seek a guilty plea, absent the presence of an “Aggravating” factor. Examples of Aggravating factors include, but are not limited to, misconduct that (1) “poses a grave threat to national security, public health, or the environment”; (2) is “deeply pervasive” within the company; or (3) involve the company’s “current executive management.” Moreover, the VSD Policy provides that even if all VSD criteria are not met, self-disclosures to the government will nonetheless be “considered favorably” which can result in a more lenient resolution than would be available in the absence of self-disclosure.

In house counsel must, however, be mindful of the fact that voluntary self-disclosure of misconduct does not necessarily steer the company clear of all penalties. Companies seeking to reap benefits from the VSD Policy must agree to pay “all disgorgement, forfeiture, and restitution” resulting from its misconduct, as well as other potential forms of appropriate remediation. For example, the prosecuting USAO may still impose a criminal penalty that is not “greater than 50% below the low end of the U.S. Sentencing Guidelines fine range.”

Moreover, when a company voluntarily self-discloses misconduct, and one or more aggravating factors are present warranting a guilty plea, the prosecuting USAO will recommend a reduction between 50% and 75% below the low end of the U.S. Sentencing Guidelines fine range after any applicable reduction.

Finally, the VSD Policy provides that the prosecuting USAO will not require the appointment of an independent compliance monitor in situations where a company “voluntarily self-discloses the relevant conduct and timely and appropriately remediates the criminal conduct” (even where an aggravating factor is present), provided that the company “demonstrates at the time of resolution that it has implemented and tested an effective compliance program.”

Pilot Program Addressing Corporate Compensation

The DOJ Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks is designed to “reward corporations that develop solutions to incentivize better compliance through their compensation systems.” The Program lasts from March 15, 2023 to March 14, 2026.

While the Program is in place, every corporate resolution entered by the Criminal Division must require that the resolving company implement criteria “related to compliance in its compensation and bonus system.” While the Criminal Division did not mandate the criteria to be used, it provided examples. These examples include:

• Prohibiting bonuses for employees who do not satisfy compliance performance program requirements.
• Implementing discipline for employees who commit misconduct (as well as for their supervisors who either knew or were “willfully blind to” their employees’/business area’s misconduct).
• Implementing incentives for employees who demonstrate “full commitment” to compliance processes.

The Program also mandates fine reductions for criminal resolutions when a company “fully cooperates and timely and appropriately remediates.” Provided that (1) the company also demonstrates that it has a system to recoup compensation from employees who committed the wrongdoing, or recoup compensation from the culpable employee’s supervisors who either knew or were “willfully blind to” the misconduct committed by their employees or business area; and (2) if the company has begun the process to recoup such compensation at the time of resolution, prosecutors are to reduce the fine by the amount that the company was able to successfully recoup.

Updated DOJ Compliance Program Standards Governing Use of Personal Communication Devices

DOJ prosecutors have long considered “the adequacy and effectiveness” of a company’s compliance program when investigating a company, deciding to bring charges against a company, or negotiating a plea or other agreements. To assist prosecutors in making informed decisions about the quality of a company’s compliance program, the DOJ created an Evaluation of Corporate Compliance Programs memorandum.

With the rise in usage of messaging applications for business-related purposes, in March 2023, the DOJ updated the memorandum to address how prosecutors are to evaluate a company’s policies and procedures governing the use of personal devices, communication platforms, and messaging applications, including messaging systems where the communications are temporary. Companies should have policies that ensure that “business-related electronic data and communications are accessible and amendable to preservation by the company.”

When evaluating the adequacy and effectiveness of a company’s compliance program, prosecutors are to consider an array of questions that address the company’s usage of electronic communications, including:

• “What electronic communication channels do the company and its employees use, or allow to be used, to conduct business?”
• “What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?”
• “What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?”
• “What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?”
• “If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?”
• “How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?”
• “If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?”
• “What are the consequences for employees who refuse the company access to company communications?”
• “How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?”

Answers to these questions are critical to any company under investigation. As Assistant Attorney General Polite stated in his address to the ABA, “During the investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things. A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability.”

Takeaways:

1. The DOJ has created powerful incentives to voluntarily self-report misconduct. A company that timely identifies and discloses its own misconduct may be able to avoid a guilty plea and may achieve a resolution with significantly reduced fines and financial penalties.
2. Companies that seek clawbacks of compensation from employees who have committed misconduct and/or their managers will be subject to potentially significantly reduced fines.
3. Companies without policies and procedures that govern personal devices, communications platforms and messaging applications subject themselves to increased scrutiny from the DOJ. In this environment, in house counsel should work with compliance teams to evaluate existing compliance programs and update them.
4. Compliance programs should include clear statements articulating consequences for employees who engage in misconduct, and for their managers. Compliance policies should address how adherence to policies impacts compensation and should address the possibility of clawback of compensation from offending employees.
5. Compliance policies should be updated to address the use and preservation of communications on all messaging platforms employees may use when conducting company business. Such policies must address preservation of information where employees utilize both company devices, and circumstances where employees use devices they own themselves. 
6. Compliance programs and policies are only effective to the extent company employees understand them and recognize that they will be vigorously enforced. Now is an opportune time to educate employees regarding program updates, and the standards imposed by DOJ.

If you have any questions about the latest DOJ policies, are concerned about whether your organization is in compliance with DOJ requirements, or would like assistance educating your team regarding these developments, please contact a member of our Government Investigations, White Collar & Compliance Practice Group.